A highly targeted malware campaign targeting iPhone users in India has been unearthed by Cisco Talos security researchers. The campaign has been active since August 2015 and is spying on 13 specific iPhones. The attackers who were most likely operating from India (although posing as Russians) were leveraging the MDM protocol of the devices.

How Were the Attackers Exploiting the MDM Protocol?

The latter is a piece of security software that is used by large companies to monitor employee devices. The MDM protocol has been used to deploy malicious operations by remote users (the attackers).

As explained by Apple, MDM is designed to the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.

Companies can deliver the MDM configuration file via email or through a webpage for the so-called over-the-air enrollment service with the help of Apple Configurator. Once installed, the service allows company admins to remotely control the device and install or remove apps, install or revoke certificates, lock the device, change password requirements, among other activities.

It is still unknown how attackers succeeded in attacking the 13 targeted iPhones. As explained, the MDM enrollment process is based on user interaction, and researchers suspect that social engineering techniques may have been employed to trick the targeted users.

It’s very possible that the attackers used the MDM service to remotely install modified versions of legitimate apps onto the targeted iPhones. The apps were designed to spy on users and harvest their real-time location, contacts, photos, and SMS and private messages from messaging apps. More specifically, to leverage apps such as Telegram and WhatsApp attackers used the so-called “BOptions sideloading technique,” (Read more...)

Useful Links

Other Mediaops Sites

Our website uses cookies. By continuing to browse the website you are agreeing to our use of cookies. For more information on how we use cookies and how you can disable them, please read our Privacy Policy.